Re: [w3ctag/design-reviews] Eligibility for autofill (Issue #831) from Jeffrey Yasskin on 2025-07-29 (public-webapps-github@w3.org from July 2025)

From: Jeffrey Yasskin <notifications@github.com>
Date: Mon, 28 Jul 2025 20:19:45 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/831/3130488268@github.com>

jyasskin left a comment (w3ctag/design-reviews#831)

After a pretty lengthy discussion here (the TAG is happy to facilitate working group discussions on these issues, but might prefer that they occur within the working group) and some discussion with the TAG, we are going to close this as "satisfied".

There are some practices that this fragmented-form arrangement enables we might prefer not exist. However, we recognize that those uses are indistinguishable from some fairly reasonable practices, like having delivery information forwarded to both vendor and payment provider, while ensuring that credit card numbers only ever go to the payment provider.

Being able to constrain what is, or isn't, something that can be autofilled gives sites the ability to narrowly grant framed content these capabilities. So that only the "approved" frames get the feature and - importantly - those frames without approval don't. The explainer implies that this directly helps the user avoid inadvertently revealing information to sites, but it's more about giving sites better controls that can indirectly help that user goal.

Of course, this is all-or-nothing, once a site has this permission, it gets all autocomplete, even the stuff that a top-level origin might prefer it does not. That's a reasonable compromise in the design.

The use of permissions policy seems appropriate here. However, we'd appreciate
* a clearer description of whether and how browsers vary in how they allow autofill across iframed sites, and
* a better explanation of why you think it's achievable to make the default policy `'self'`, if sites currently rely on filling forms across iframe boundaries.

Please also update your standards-positions requests so that [WebKit](https://github.com/WebKit/standards-positions/issues/141) and [Mozilla](https://github.com/mozilla/standards-positions/issues/752) know that the proposal has changed significantly.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/831#issuecomment-3130488268
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/831/3130488268@github.com>

Received on Tuesday, 29 July 2025 03:19:49 UTC